Bug ID 542751: In portal access mode, APM may not handle mangled requests for SAML URLs

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0

Opened: Sep 01, 2015
Severity: 3-Major

Symptoms

Mangled SAML SSO requests (e.g. '/f5-w-...$$/saml/idp/profile/redirectorpost/sso') are processed internally by APM instead of being forwarded in internal server. As a result, an error is logged in /var/log/apm: "SSOv2 Error: No SP Connector attached to SAML SSO from assigned SAML resources matching authentication request."

Impact

SAML SSO will not work.

Conditions

All conditions must be met: - BIG-IP1 is configured for portal access. - BIG-IP2 is used as SAML Service Provider. - BIG-IP2 must be located behind portal rewrite. - User attempts to initiated SAML SSO on Service Provider.

Workaround

None

Fix Information

None

Behavior Change